Paul Hastings attended the 2023 Global Privacy Summit (GPS) hosted by the International Association of Privacy Professionals (IAPP). Privacy professionals from all over the world gathered in Washington, D.C. to learn about the latest developments in privacy and data protection.

The conference hosted over 85 panels with more than 200 speakers presenting on various issues. Here are some of the main takeaways of key topics discussed at this year’s conference—

Incident and Data Breach Response. Panelists highlighted the increased need for companies to implement adequate breach and incident response procedures and policies. Many companies have been victims of security incidents and breaches by various threat actors, such as organized criminals, national state actors, and even disgruntled employees. During a panel on privacy breach response, cybersecurity specialists and attorneys discussed the important distinction between security incidents and data breaches, explaining that a security incident cannot be characterized as a data breach until there has been a legal determination. To best prepare for a potential attack, the panelists recommended that companies follow these best practices:

• Assess risk posture and understand potential vulnerabilities;
• Ensure vendors have taken steps to secure data;
• Develop an incident response plan—on paper; and
• Identify outside counsel in advance.

Sensitive Data. With Iowa joining as the sixth state to pass a comprehensive state privacy law, the existing patchwork of privacy laws in the U.S. continues to grow. Many laws, like Iowa’s, and other sectoral laws related to health privacy, children’s data, and biometric privacy—just to name a few—have different approaches to regulating and defining sensitive data. Misuse of sensitive data can result in significant negative harms to individuals, such as identify theft, financial loss, and discrimination. Speakers on the Diving In: Exploring the Depths of Sensitive Personal Data Regulation in the US panel emphasized that more laws regulating sensitive data now provide for a private right of action—something that organizations should be aware of. Organizations that collect and use sensitive data should ensure that their current practices align with the various requirements of current and future laws.

Artificial Intelligence. Last, but certainly not least, AI seemed to take the center stage at this year’s GPS. In light of Italy’s recent ban of ChatGPT, and a letter signed by over 1,000 AI experts, entrepreneurs, and others calling for a pause on AI experiments, panelists emphasized the pressing risks that AI may have to fundamental rights, such as privacy. Speakers focused on the different approaches taken in the U.S. and the E.U., with the E.U. already proposing new legislation to regulate AI. On the other hand, some U.S. government officials have stated that the use of AI is already regulated in the U.S. through existing law, such as the FTC’s Section 5 Act, and civil rights laws like the Equal Credit Opportunity Act.

What Companies Should Do Now:

Based on the discussion of the three issues above, organizations should consider taking the following steps:

• Review current incident response plans and make updates as needed to comply with current laws and any changes to your organization.
• Update data maps/records of processing to account for new definitions of “sensitive data.”
• Review current policies around artificial intelligence and consider updates based on the growing proliferation of chatbots and other regulatory developments.

Like past years, the 2023 GPS was sure to spark exciting discussions on the latest developments in privacy and data protection. Our Privacy and Cybersecurity practice regularly advises companies on key issues like the ones mentioned above. If you have any questions concerning these issues or any other data privacy or cybersecurity developments, please do not hesitate to contact any member of our team.